Hi, everyone. First off, I'd like to have a show of hands. How many of you have heard
about or used Tor? All right. How many of you run a relay? Yeah.
So my talk is about the safety of the Tor network, and it's going to be three
different topics. We're going to look at network diversity. We're going to look at the relay
operators, and we're going to look at malicious relays. My name is Runa Sandvik. I work for
the Tor project. The Tor project is a nonprofit. We have somewhere between 15 and 20 employees
and contractors right now working full time on Tor and other projects, and we have volunteers
all over the world. We're also hiring, so if anyone's looking for a job, we're hiring
on Tor. The goal of Tor is to promote free speech, free expression, and privacy rights
online, and we do that by developing Tor. We also do a lot of education and outreach.
Over the past two years, we've done a lot of training for journalists. We've met with
activists. We have done a lot of work with survivors of domestic abuse. And so we do
a lot more than just developing this tiny piece of software.
Okay.
Okay.
So sort of like the background for my talk, over the past two years, I've had the opportunity
to travel a lot. I've met with a lot of interesting people. I've met with activists in Beirut.
I've met with journalists in Istanbul. I've met with university students in D.C. And a
lot of them have like the same sort of questions about Tor and the Tor network. You know, how
safe is the Tor network? Who are the relay operators? What about malicious relays? How
much network diversity is there? How much network diversity is there? And so I'm going
to just comment on one straight off. The CIA does not run Tor. Tor is not a CIA honeypot.
Tor was originally developed by the U.S. Naval Research Lab. But that was before 2000.
Since 2002, Tor has been completely free and open source and developed by the Tor project.
So before we start, kind of go deeper into these topics, I'll kind of start with a quick
introduction to onion running. So there's two ways that you can run Tor. You can run
Tor as a relay or you can run Tor as a client. When you run Tor as a relay, you will set
it up on a computer or a Raspberry Pi or whatever it is, your toilet. And you can decide to
run it as an exit relay or a non-exit relay. So you can decide whether or not you want
Tor users to exit onto the public Internet from your computer. In the case that you're
not running an exit, you'll be running what's called a non-exit. And that non-exit could
also be what's called a guard relay, which is the first server that users connect to.
So running Tor as a client, you download Tor onto your computer. You open it up. And your
Tor client will then, first off, download the list. It's called a consensus. Download
the list of all the relays in the network. And out of those roughly 4,000 relays right
now, it will pick three guard relays. And for the next two to three months, it will
only choose between those three when it chooses the first hop. So after choosing that guard
relay, it will choose the middle relay and the exit relay. And after that, Tor will set
up a connection between your computer and the guard relay. And it goes from there. And
it will negotiate a short-term session key. It will then connect through the first server
to the second server and negotiate a second short-term key. And it will do the same for
the exit relay. So that when the whole circuit, which is the connection from you to the last
‑‑ from you to the destination Web site is set up, the data that you send, for example,
I want to visit Twitter.com, will be wrapped in three encrypted layers. So you send off
the packet from you to the destination Web site. And then the data that you send, for
example, from your computer to the guard relay. And the guard relay will then peel off that
third outermost layer and see that, okay, the packet came from you and it's going to
somewhere else in Tor. So it will send the data off. It will send this blob of data off
to the second relay. The second relay will peel off that second layer, see that the packet
came from somewhere in Tor. It's going to somewhere in Tor. But that's all it knows.
So we'll send it off to the third exit relay, or the third relay, the exit relay, which
will then peel off that final layer, see that it came from the middle relay, and see
that it's going to Twitter.com. So in this model, there is no single hop that will see
what you are doing online. Now, the challenge here is if someone ‑‑ the same person
owns the guard relay and the exit relay, that person can see what you are doing online.
That person can see that you are using Tor to visit Twitter.com. Another issue is the
exit relay. The exit relay operator can't look at any traffic going from her relay
to the public Internet. And I'll get back to that later on.
So at the moment, there's roughly 4,000 relays in the Tor network, pushing around
2,500 megabytes a second in aggregate. And you would think that 4,000 relays, we have
500,000 daily users. And you think that 4,000 relays is a good number. But if you look
at this graph, it shows that out of those 4,000, only 1,000 of them are exit relays.
And only 1,000 of them are guard relays. So when your Tor client is trying to choose
which servers to send traffic through, it only has 1,000 or less options for the first
hop and the third hop.
So I figured a lot of you will probably want to know about how Prism or other spying programs
affect Tor. And Tor was originally designed to protect government communications, to hide
where you are and who you're talking to. So Tor can't hide the fact that you're talking,
how much you're talking, or when you're talking.
But Tor can give you location anonymity. If you're here at DEF CON and you're using
Tor to connect to Twitter, Twitter will see that you're the one logging on because you
have a user name and a password. But they won't know that you're here.
So like I mentioned, if the same person owns the guard relay and the exit relay, they can
see what you are doing online. And recently, it's sort of after Snowden leaked all of these
documents, we learned that Tor is the only server that can do that. So Tor is the only
server that can do that.
And so we learned that there are countries colluding. There are countries working together
on other spying programs. So now the issue, the concern is not so much who's running the
relays but who owns the links, who controls the ASs, who controls the Internet exchange
points, right? It's not necessarily about the relays. So this kind of all fits into
like whether or not we should consider different threats. If we should reconsider the threat
model for Tor.
And so this is a paper that is it will be published later this year that a group at
the U.S. Naval Research Lab worked on. It's called Users Get Routed, Traffic Correlation
on Tor by Realistic Adversaries. So they took Tor the way it works right now and looked
at what happens if you're sending your data through relays that happen to be controlled
by the same entity, by the same AS.
Or in similar Internet exchange points. Or by countries that are now known to work together
on different spying programs.
We are sort of considering how we can approach this. We're sort of trying to figure out
if changing the way Tor selects relays is something that we should actually do or if
users are safer now than if we were to choose a different algorithm.
So that is ongoing research right now. What is, you know, worth considering, I guess,
when you're using Tor.
So that sort of fits in with the topic of network diversity. You probably can't see
that table, but so all this data is public. And this one is from Compass, C-O-M-P-A-S-S.TorProject.org.
And it shows the likelihood that you will have your guardrails. You will have your guardrails.
You will see your relay. You will see your relay, your metal relay, and your exit relay
in different countries.
So at the top of the list there's a 25% chance that your first server will be in the U.S.
There's a 23% chance your middle server will be in the U.S., and there's a 34% chance
that you will exit in the U.S.
And below that, there's a 29% chance that you will enter in Germany, that your middle
relay will be in Germany, but only a 6% chance that you will actually exit in Germany. On
the top of the list, you'll see the log. Of course, I don't want to tell you. You'll
is U.S., Germany, Netherlands, France, Sweden. So we have 4,000 relays in like 150 different
countries. But Tor will look at the relays that are offering the most bandwidth when
choosing which relays to use for its path. It doesn't look at the countries. It looks
at the bandwidth. And so the more bandwidth you offer, the more likely it is that users
will actually pick your relay. But that means that we may not actually have as much diversity
as we would like to because all the relays are in countries like the U.S. and Germany
where bandwidth is free and where hosting providers are actually happy with us setting
up relays. So I wanted to figure out who the relay operators
are. I wanted to see if I could answer the question of has the NSA ever set up a relay
or not. So I looked at all the data, all the consensus documents that's been generated
since 2007. It's all on metrics.torproject.org. And I tried to figure out, you know, who owns
the IP addresses. That was sort of my starting point. Who owns the IP addresses for all of
these relays? And I did not find any government entities running relays. That means, well,
one, they're not running any relays in their own data centers. But also that they're not
running relays at all. We now know about all of these spying programs. We know they
have access to links to Internet exchange points. They have connections all over the
world. Why would they need to run relays? Right? They have access to all of this information
in a number of other ways they wouldn't necessarily have to run relays. A couple of sort of interesting
observations or relays.
That did pop up was TBREG. If you used Tor back in 2008 and you're on our mailing list,
you will have seen this name pop up. So TBREG was the nickname of a few tor relays that
were running inside China. And were running as tor exit relays inside China. And over
the course of a year, TBREG had $50,000 worth of relays in their own data centers. And that
20,000 different IP addresses associated with it. Now, I don't know who inside China would
have access to, well, one, be able to set up a Tor exit relay, and two, have 20,000
different IP addresses in a year. But my guess is that, you know, government, university
maybe. But we don't know. We never actually caught this relay doing anything malicious.
And after a year, it sort of just fell off the grid and we haven't seen it since.
A couple of years later, Trotsky popped up. It was the name of a number, a couple of thousand
relays in Eastern Europe, all running on sort of dial up or at least offering very, very,
very little bandwidth to Tor. So there was ‑‑ it wasn't an exit. There was no contact
information given as to who wrote it.
We were the relay operators. And at that point, we decided to take it out of the consensus
because we believed it might be a botnet. We haven't really been able to figure out
whether or not it was a botnet, but we only saw Trotsky for two, three weeks, and that
was it. So when I said take out of the consensus, we have a way ‑‑ and I'll get back to
that later ‑‑ we have a way to ‑‑ when we see that there are relays misbehaving,
we have a way to mark them as bad.
And then ‑‑
We have a way to take them out of the consensus. It means that when client downloads the list
of the Tor relays, it will just not choose bad exits for its circuit.
So ORBOT is, yes, ORBOT is the Tor for Android. So you can run Tor as a client on your phone
or your tablet, and you can browse through Tor. You can also run Tor as a relay on your
phone or set up a Tor hidden service. And I saw a number of nicknames, a number of relays
with the Orbot nickname popping up in the Middle East. There are a lot of users with
mobile phones, with smartphones, and apparently a lot of them set up relays a couple of years
ago as well. So there are a lot of different groups sort of running relays. There are those
who run relays on a Raspberry Pi. There are those who sort of try and run bigger groups
of relays in the case of Orbot or TBReg. They may or may not actually be malicious. Then
there are the groups that are sort of supporting the Tor network in a completely different
way and in a very, very good way. So who's sort of TorService.net? Some. Okay. So TorService.net
is a German nonprofit whose only goal is to increase network diversity. They will take
take donations and spend that money on relays for the Tor network, primarily Tor exit relays,
which is when you saw the list of, you know, there's a 23 percent chance that you'll exit
in the U.S. or in the Netherlands, most of those relays actually belong to Tor servers.net.
So, when you're using Tor, you are more likely to end up using a relay owned by Tor servers.net
or one of the other groups that I'll show because they're running so many relays and
because they're offering so much bandwidth. So you're more likely to use relays that are
run by people that we trust rather than some random guy in, I don't know, the U.K., for
example.
Okay.
The Chaos Computer Club is sort of similar. They also run relays offering a lot of bandwidth.
I think in the list of ‑‑ if you create a list looking at which relays offer the
most bandwidth, Chaos Computer Club would come up as number two.
So another group is BFRI in Sweden.
They just set up ‑‑ I don't think they have non‑profit status yet, but they've
just sort of managed to get everything together and they're able to accept donations and spend
‑‑ just put the money towards actually running high bandwidth relays.
Another group is Noisetor out of San Francisco. They will also take donations. Some of these
groups, I'm not sure about all of them, but they will also take donations in bitcoin.
So if you can't run a relay, then maybe you can just donate.
To add to someone who can actually set it up for you.
So malicious relays.
There are, I guess, three groups of malicious relays.
The first one is malicious but not intentional, meaning that someone set up an exit relay
and they have, you know, they have open DNS or they have an antivirus.
That is, blocking certain sites.
And while they may feel safe using that, having that on a Tor exit relay means that users
will also ‑‑ Tor users will also sort of end up with the same filter.
So if they can't visit Google.com, then, you know, any Tor user will be unable to visit
Google.com.
In those cases, we try to contact the relay operators.
And when you ‑‑ so when you're setting up a Tor relay, you can sort of ‑‑ you're
able to put in your contact information if you want.
And if something is actually wrong or, you know, we're asking you to upgrade your relay
or something like that, we know how to contact you.
So we will try to contact these relay operators and sort of ask what's going on and see if
maybe they can just reconfigure their computer to not censor users.
The second category is straight‑up malicious.
Those that, you know, try and strip off SSL or do some other sort of man in the middling.
Or, again, censor sites just more actively.
We will try to contact the operators when we can, when there is contact information
given.
But if they're found to actually be just malicious and they don't have contact information,
we will just take them out of the list.
The third category is passive, sort of more malicious, but not necessarily detectable
in the sense that they will be logging traffic.
Okay.
So I mentioned that, you know, when you're using Tor, the traffic from you to the exit
relay is visible to the exit relay operator.
It means that the exit relay operator can see what people are doing online.
They won't know necessarily who's doing what, but they'll see what people are doing, which
websites people are visiting.
And in some cases, people set up exit relays just to log all of this information.
That is not something that we can actually detect, and that is a risk, just a risk to
be aware of.
But I would say that it's probably safer to use Tor than not these days.
So a question I often get is how bad can it get?
Say that, you know, you're using Tor, you happen to head up on a malicious exit relay,
how bad can it get?
My answer is that it depends.
I know that's usually an answer that you'd hear from a lawyer, but it really does depend
on what you're doing and for how long you're doing it and whether or not you're actually
logging on.
Say, you know, you're using Tor to access Twitter.
You go to Twitter.com and your browser gives you a warning about a fake SSL certificate.
Now if you choose to accept that certificate and log on, you're giving your, like, the
adversary, the attacker, your username and your password, and you have lost.
And that is true regardless of if you're using Tor or not.
In the other case, if the person is just logging traffic and you're not logging in anywhere
and you're not communicating any sensitive information, then that person will just get
lots of random data, lots of Web sites that you're visiting, but not necessarily a way
to tie that back to you.
Another thing to note is. . .
Tor, when creating those circuits, when choosing those three relays and using them to visit
all of the Web sites that you're visiting, Tor will choose a new path for your traffic
every ten minutes.
So if you're visiting Twitter and you spend, I don't know, 20 minutes on Twitter and then
you open a new tab in your browser, Tor will create a new circuit for you.
Whenever Twitter has to open a new TCP connection to pull in new content, Tor will open a new
new connection for you. So I'm not sure how to best answer this question of how bad can
it get because it really does depend on what you're doing. But I think in a lot of cases
it's probably better to use Tor than to not to use Tor. And the threats that you see on
Tor are pretty similar to using the open wireless network at Starbucks or elsewhere.
So we have a couple of different tools for sort of finding these malicious relays. The
first one is called a consensus tracker, which we created somewhere between the time we saw
TB reg pop up in the consensus and Trotsky. So consensus tracker is essentially just a
script that every hour it will look at the list of relays and figure out which relays
are new.
Which relays just joined the network. And it will just send us an e‑mail. And anyone
can subscribe to the list and see the list of new relays joining the network. So the
information we get is sort of the IP address, the port, which ports the ‑‑ if it's
an exit relay, which ports it allows exit to. Content information if that has been set.
Just sort of like basic info. It doesn't really check for maliciousness. But if we suddenly
see a new relay, we can just say, hey, this is a new relay. And if it's an exit relay,
and we only have, like, 1,000 relays pop up in Syria, it's at least something that we
can monitor and keep an eye on.
So a couple of years ago, we created snakes on a tour, or SOTE. It was a Google summer
code project. The goal of SOTE was to have a set of tests that would allow you to check
for fake SSL certificates, so any sort of, like, tampering with DNS, any other types
of censorship. And it sort of worked for a while. It was written in Python 2.5. And
it is no ‑‑ it is no longer maintained. So for the past probably two, three years,
we've been working on another project called Ooni, the open observatory for network interference,
which if you run what's called Ooni Pro, the clients, it will check for censorship,
essentially. And hopefully in, like, six months, we'll be able to do that.
In six months or so, Ooni Pro will be able to do what SOTE once did, so that we can more
actively check for malicious relays or misbehaving relays.
So the tool we have right now is the tour exit SSL checker. And it is one thing. It
checks for fake SSL certificates. It will take the list of exit relays and a list of
URLs that you have given it, say, Twitter and gmail.com, and it will connect, you know,
to the exit relays and download the SSL certificate. And then it will do the same over non‑tour
and compare the two. And if there is a difference, it will give you a warning.
So yeah. We only check for SSL certificates right now. We hope to be able to check for
other types of malicious behavior in the future. So there's, like, a lot of things that are
going on. There's, like, three ‑‑ I guess three topics that I sort of wanted to touch
on that I hope that you will leave this talk with.
One, I want you to use Tor. It seemed like a lot of people were already using Tor. In
the case that you're not, please do. We always say that anonymity loves company. So the more
people that use Tor, the better off you are. If you're the only person at DEF CON using
Tor, you sort of stand out. If you're one out of 12,000 people here using Tor, you
are better off. So the more people use Tor, the better.
Two, run or fund a fast relay. Not a lot of people here run relays. I'm not sure why.
If it's lack of bandwidth, if you just don't know how, if you're worried that you'll be
an exit relay. But no matter what the reason is, you can always fund a fast relay. Funding
Tor servers.net. We're back.
You're back? We are. I think you know the routine. Everyone
else in the audience, what are we going to do now?
That mic is dead. Backed out. Backed out.
I have the mic, actually. That mic is ‑‑ just yell.
Can I just get really close then? No.
Okay. Just talk really loud.
That was a good answer. You all know the routine. What are we going
to do?
Do we need someone from the audience? Oh, yeah. Do we have any first‑time
attendees? You, sir.
Come on. I put them all the way in the back.
Did you? No.
Can I say that? Sure, you can say that.
Thanks.
Did you get one?
No.
Okay.
Okay.
We're back. All right. To our first‑time speaker and our first‑time
attendee.
I've got a lot of time for questions.
I sort of wish I had started with that.
You can run a fast relay and help increase network diversity or you can run an exit scanner
or help us improve the ones that we already have. And help us find misbehaving relays.
So at this point, being first‑time speaker at DEF CON and sort of talking a lot faster
than I usually do, I have a lot of time for questions. So if you have questions, you can
line up with the microphone up front.
Is it safe legally to run an exit if the people on the network are doing illegal
things?
I got half of that. Do you want to try and repeat it?
Is it safe legally to run an exit if the people exiting the network are doing illegal
things?
Okay. Is it safe legally to run an exit relay if the people using your exit
relay are doing illegal things?
Running an exit relay is ‑‑ in some cases, it can be a bit risky. So it means that any
Tor user, you know, 600,000 users, a lot of them will be using your server to access
the public Internet. So it means that anything that they do online will be seen as coming
from your computer, from your IP address.
Over the past years, there's been stories about people in Germany having their doors
knocked down and their computers taken or a series of DMC takedown notices and similar.
We have spent a lot of time trying to educate law enforcement, teach them what Tor is, how
it works, when or how they would encounter Tor when investigating people. And that's
worked out pretty well.
We have sort of helped them understand that, you know, when they do hit an exit relay,
it is Tor. It doesn't actually log any information. There is no information to be found there
about the Tor users. But at the same time, if you feel that that is a risk, then running
a non‑exit is probably the safer option. So we have a blog post called Tips for Running
an Exit Relay.
It's a blog post that talks about how to run an exit relay with minimum amount of harassment,
which sort of just lines out a series of steps and things to consider if you want to
set up an exit relay. Sort of, you know, run it on a dedicated server. Don't have your,
you know, personal photos and GPG key and whatever else, chat logs on the same server
that you're running a Tor exit relay. Do not encrypt that drive in the server that
is running the Tor exit relay. If you have a server with a non‑encrypted server, you
have a non‑encrypted disk running only Tor as an exit relay, and Tor is not logging
anything, there will be no information on that server for law enforcement to dig through.
So I would say if you're considering setting up an exit relay, that would probably be
the first ‑‑ first sort of page I would send you to read up on. Whether or not it's
safe legally, I'm not a lawyer, so I can't really answer that question.
.
Sorry?
.
Exinerate Tor, yes. That is a list of ‑‑ it's a service that allows you to enter an
IP address and see if server X was running as a Tor exit relay at time Y. So in the case
that you do run into issues with law enforcement, you can use that service to sort of point
them to this ‑‑ to our page and sort of explain to them that you were actually
running an exit relay.
If you do run an exit relay and you run into problems, you can also e‑mail us and we
will send a signed letter just confirming that, yes, you were running an exit relay
at that point in time.
So there's hidden entrance nodes via bridges. Is there any look or work into having hidden
exit nodes?
Yeah.
So the question is about bridges. The image that I showed of how Tor works that
mentioned the guard relay, we also have something called bridges, which is similar to the guards,
just that they're not listed on the Internet. You can't find a list of every single bridge,
which means that if you're in China and you need to connect to the internet, you can't
connect to Tor, and Tor is being blocked, and you can use a bridge instead.
I don't think ‑‑ I'm not sure if we have even considered hiding the exit nodes.
I'm not sure if that would actually be a good defense. It sort of seems to me like
it would be just a bit of an arms race. You know, we would hide them, someone would find
them, and it would continue from there.
Okay.
Sure. What about ‑‑ what about running relays in the cloud, and how ‑‑ like,
for instance, if there are just a whole bunch of cloud‑based, like Amazon AWS‑based relays,
what does that do to your network diversity?
Okay. Relays ‑‑ so with Amazon specifically, you are allowed to run a bridge. Running
a relay is also allowed. As far as their technology is concerned, they're not allowed to run a bridge.
They're allowed in terms of service, but you will be paying too much money for bandwidth.
So not ‑‑ so you just don't want to do that. And an exit relay is not allowed in
their terms of service. But if someone were to suddenly set up thousands of relays to
join the network, I'm not sure it would help the diversity too much. So Tor will only pick
fast relays to use for its circuits. So if you have like a thousand sort of slow relays
joining the network, that would be a good thing. But if you didn't have a network,
network, then we would have a thousand sort of slow relays joining the network. I don't
think it would do much to users. A question is pretty specific regarding are
you aware of whether or not Google Fiber's terms of service restrict you from running
an exit relay or not? Sorry? If Google Fiber's terms of service,
would that restrict you from running an exit relay or not?
I don't know. If anyone from Google is here, can answer that question, then we would
all like to know. No servers on Google Fiber.
No servers at all? If anyone from Google is here, then I'd like to talk to you.
No computers on Google Fiber.
Any other questions at this point?
I didn't hear the phone.
.
, if there are more malicious relays than none?
Okay. If there are more bad users than good users. Okay. We don't know. I mean, so you
go to our website and you download Tor, and the only thing that pops up in our Apache
logs is that someone visited Tor. We don't log your IP address. We know that people are
downloading Tor, but that is it. We have no information. We don't know what you're
using Tor for. Back in the day, someone did a study to see at least which protocols were used the
most, and it was just mostly web traffic. But apart from that, we have no way of telling what
people are doing over Tor.
Did you guys accidentally ban Facebook?
We were accidentally banned by Facebook, yes. The issue that was a month ago,
okay, so it does happen. So someone used Tor to sort of try and scrape content from
publicly available content from Facebook, and Facebook sort of accidentally blocked a ton of
Tor exit relays. So it does happen, but, like, we have no way of telling how often it happens or
how many users are actually misbehaving that way.
Can you speak to hidden services?
What about hidden services?
Can you briefly detail what they are?
Okay. Tor hidden services, dubbed by the media as, like, dark web, deep web, is a
way of hosting content anonymously over Tor. So it means that you can set up a website,
and it will have the URL of, like, 16, like, a random string of, like, 16 characters and .onion
at the end, and it will only be accessible over Tor, and no one will know that you are the
one hosting the site.
And you will not know who is visiting the site because everything is over Tor.
The content cannot be censored. We cannot find out who is actually running Tor hidden
services. And so it's sort of just anonymous hosting in a way.
Recently there was a paper published pointing out a number of issues with Tor hidden services,
and we wrote a very long blog post explaining all the things that we would like to see improved
with Tor hidden services.
How do you establish trust for the consensus?
So when you set up ‑‑ the question was how do you establish trust for the consensus?
How do you make sure that the list clients download is a safe list?
When you set up a relay, your relay will tell nine directory authorities that it exists.
And these nine directory authorities will then confirm that you are the one hosting the site.
They will tell you that your relay has the IP address that you've said that it has, that,
you know, the nickname matches.
If it's an exit, it will make sure that you can actually exit.
And then these nine directory authorities will vote on this information, whether or not
that information is correct.
If the majority of them vote that, yeah, it's correct, it's valid, then that relay makes it into the consensus.
And once they have done that for all the relays in the network, that list is then signed
by every single directory authority.
And when the client downloads this list, they will check that the signatures are okay.
I had a follow‑up question to that.
Who controls the directory authorities and who controls the onion domain name services or servers?
Okay.
The directory authorities are run by Tor.
Core Tor project developers or people that we trust.
So there's a good mix of some of them are in the U.S., some of them are outside of the U.S.,
some are run by Tor people and some are not.
But you have to be a trusted member of the community to be able to run one.
The second question was about the .onion domains.
No one really controls that.
You generate a domain when you set up a Tor hidden service.
And that's that.
Talk about Japan.
Japan.
Is there sufficient diversity in the directory authorities to protect from court orders in a single country?
Is there diversity in the directory authorities to protect from court orders for a specific country?
Yeah.
Okay.
The NSA decided to set up a house of relays.
And then it served you guys.
.
If the NSA served us with any type of letter to mark release as bad and to effectively redirect all Tor traffic to the NSA, then we just wouldn't do it.
Is there any way for an exit relay to find out from an exit node where the traffic is coming from?
Is there any way for an exit node to find out how or where the traffic is coming from?
Is there any way for an exit relay to figure out who the Tor user is?
No.
So the only information that the exit relay has is that people are doing stuff.
That people are watching, you know, videos of cats.
So the only thing that you can do if you were to attack Tor users would be to make sure that you are that first hop, that you are the guard relay and that you are the exit relay.
And doing that when targeting a person seems really, really difficult.
I mean, I'm sure you have, or at least the NSA maybe probably has way better options to actually target people than to try and spin up a thousand Tor relays.
Okay.
So Tor is TCP only right now.
We have a proposal for UDP, but I'm not sure what the status is.
I don't think we've done a lot of work on that for a while.
We have done more work on getting Tor to play nice with IPv6.
How about hardware integration?
Is there any hardware?
Can you repeat that?
Hardware integration.
Hardware integration.
Okay.
Thanks.
So we have a project called the Tor router, which the goal is to just take like a stock router and put Tor on it and make sure that, you know, it sets up a wireless network where everything that you do on that wireless network is sent through Tor and that it is also running as a bridge or a relay.
Or an exit relay, for example.
That project will probably be announced in about six months.
There are other projects like the, what is it, the onion pie.
I know Freedom Box has sort of worked on some stuff.
There's a lot of work being done.
We need more people to sort of help us test those projects.
But we don't have anything right now.
What's your opinion on an exit node filtering traffic?
If you're running an exit node to filter traffic, then you just might as not just don't run an exit node at all.
Like sites like child pornography, for instance.
Sure.
Okay.
If you want to talk about child pornography specifically.
Running an exit relay to filter content in general means that, you know, who are you to decide what people can and cannot watch online?
Right?
If you, okay, so you obviously, I think we all agree child porn is bad.
But what if we gave people the ability to actually decide what Tor users can and cannot visit through their exit nodes?
And I decided watching videos of cats is bad.
So suddenly I am censoring a number of Tor users who wanted to look at totally legitimate things.
So we just decided that we shouldn't decide what users can and cannot watch online.
It also means that we cannot be asked or forced by anyone to censor anything or give out any type of information.
We don't have anything.
We don't control the network.
Users do.
Anything else?
So just one, to that last point, is there a problem right now with a deficiency in the number of exit nodes?
Like if I can run an exit node by filtering certain sites like child pornography sites that are illegal wherever I am,
it might be a restriction that prevents me from running a node.
Do you think it's worth running an exit node under that situation?
Are you guys desperate for exit nodes?
We are desperate for exit nodes.
But we would prefer exit nodes that are not touching user traffic, regardless of what it is.
Will ISP know anything about the section?
There are absolutely no logs.
Nine.
So the question was if we have any logs at all.
And the answer is no.
We don't have anything.
When you visit our website to download Tor, we write just zero.
We write all zeros in the log.
Or we write all zeros if you're visiting the HTTP version of the site and one at the end if you're visiting the HTTPS version.
So you download Tor and we don't know that you downloaded Tor.
When you start up Tor, the only ‑‑ there's sort of two entities that will know that you're using Tor.
It's your ISP and it's the guard relay.
They will know that you're using Tor.
They won't know what you're using Tor for.
And the exit relay will know that someone is using Tor to do something, but they won't know who.
So there are no logs.
There's nothing to be subpoenaed.
We cannot be given any magical letters to force us to do anything.
We don't have any info about our users.
What about the ISP?
That's a good point.
The ISP ‑‑ yeah, the ISP, you know, whoever the backbone provider is.
It's a good question.
The question is, you know, if they actually look at that traffic.
Do you know?
Is that, like, a common thing for ISPs or service providers on a top level?
Does a backbone provider log incoming connections to websites that are hosted by people?
.
.
Sorry.
If we want ‑‑ if we're going to put together a list of Tor projects, is that the question?
Tor apps?
Yes.
So we have a list on our website talking about products and services that we have.
And if you're not in that list, then it is not a project that is maintained or developed by the Tor project.
Have you ever seen Tor exit nodes attacking browsers?
No.
I have not seen any Tor exit nodes attacking browsers.
So for users running, like, the Tor browser bundle, what safeguards are in place to prevent the exit relay from serving up, like, a malicious message?
Well, you know, Tor is a malicious Twitter.com.
And sending some sort of malicious program back to their computer to kind of make a connection on the open web.
So if there are any restrictions on ‑‑
Well, like, what kind of protections are there?
So the Tor browser bundle blocks a lot of things by default, like Flash and Java and some JavaScript and things like that.
Okay.
But that is it.
If an exit relay is actually able to inject a very specific type of exploit into the user's traffic, then there are no ‑‑ like, if you can do that without Flash or Java or getting the user to open an attachment, then, yeah, you win.
Okay.
So he's ‑‑ he's a little bit of an expert.
Yeah.
Yeah.
Yeah.
Yeah.
So he's waving at me, saying that I'm out of time.
So I figured we can meet in the Chill Add room if you have more questions so we can kind of continue there.
Thanks.
We'll probably call it a day.
Yeah.
Thanks.
Do we have any questions?
